Nearly 2.7 billion personal information records for people in the United States have been posted to a popular hacking forum, exposing names, addresses, and even Social Security numbers. The data allegedly comes from a company that collects and sells the data for legitimate use, but was stolen and put up for sale in April 2024.
Originally, a threat actor known as USDoD claimed to have stolen the information from National Public Data. National Public Data scrapes the information from public sources, uses it to compile individual profiles, and then sells those portfolios. The company serves private investigators as well as entities needing to conduct background checks and obtain criminal records.
When USDoD first obtained the data, it offered to sell it for $3.5 million. The hacker claimed it contained 2.9 billion records and consisted of personal information for every person in Canada, the United Kingdom, and the United States. In the past, USDoD has been linked to another database breach, trying to sell InfraGard’s user database for $50,000 in December 2023.
On Aug. 6, a user going by the alias Fenice posted what’s believed to be the most complete version of the stolen National Public Data information for free on the Breached hacking forum. Fenice says, however, that the data breach was actually done by a different hacker than USDoD, one known as SXUL.
This isn’t the first time the data from this leak has been released, but previous posts have only included partial copies of the data. These included different numbers of records and sometimes different data. Fenice has offered the most complete version of the National Public Data information and has provided it for free.
BleepingComputer was unable to confirm if the leak actually contained data for every person in the U.S. or not, but did receive confirmation from numerous individuals that their and their family members’ details were included. Tom’s Hardware has also been unable to confirm the veracity of the claim, as the two files making up the leak total 277GB of data from a rather slow download server.
Other problems have been noted with the data, including incorrect Social Security numbers. Also, the records BleepingComputer could check contained old address data, suggesting the data may come from an old backup, Finally, many people in the data leak have multiple records, one for each address they have lived at. So it’s unclear if all 333 million people in the U.S. are impacted.
Nonetheless, you should be a bit more attentive to your credit report for fraudulent activity in the coming months / years. Since the leak also includes email addresses and phone numbers, it would be a good idea to be more vigilant against phishing emails and SMS attempts trying to elicit more information from you as well.